Google Buzz Settlement Includes Two Privacy Settlement “Firsts” for the FTC
Kelley Drye Client Advisory
March 30, 2011
Google has agreed to settle Federal Trade Commission ("FTC") claims alleging that the 2010 launch of Google Buzz, a social networking feature linking Gmail users with other people on Google's network, involved deceptive tactics and violated Google's privacy policy. The proposed settlement  includes two firsts for the FTC:
  • First FTC settlement that requires a company to implement a comprehensive privacy program
  • First FTC settlement involving alleged violations of the U.S.-EU Safe Harbor Framework privacy requirements
The FTC Complaint

In its administrative complaint, the FTC alleged that: (1) some Gmail users who declined to enroll in Google Buzz were enrolled anyway; (2) Gmail users that enrolled in Google Buzz were not adequately informed that the people they email most frequently would be publicly disclosed through the "following/followers" function; and (3) the identities of Gmail users that later "turned off" Google Buzz were not removed from the social network. Google's privacy policy stated that information would never be used "in a manner different than the purpose for which it was collected" without the user's prior consent; however, the FTC alleged that use of information provided to Gmail was used for another purpose, the Google Buzz social networking feature, without the users' consent.
Also, the FTC alleged that the practices were deceptive as they did not adequately disclose that certain private information identifying who the Gmail user emailed most frequently would be made public, and that certain user privacy settings in Gmail were not carried over to the privacy settings in Google Buzz. Further, the FTC alleged that these practices violated the US Safe Harbor Privacy Principles of Notice and Choice, as Gmail users were not given adequate notice that information collected in Gmail would be used for a new purpose, and were not given adequate choice about whether they agreed to such new use.

Terms of the Proposed Settlement

The proposed settlement, which is subject to public comment through May 2, 2011, imposes robust requirements on Google, including the following:

  • Before sharing user information with a third party in a manner different from Google's practices in effect when the information was collected, and which results from a change, addition, or enhancement to its products or services, Google must:
  • Disclose (1) the information that will be shared, (2) the identity or categories of the third parties that will receive the information, and (3) the purpose for sharing the information. Notably, this disclosure must be separate from any "end user license agreement," "privacy policy," or "terms of use;" and
  • Obtain express affirmative consent to the sharing from the user.
  • Google must develop, implement and maintain a written comprehensive privacy program including designated employees responsible for the program, identification of reasonably foreseeable risks and safeguards used to mitigate risks; and establishing steps to select and retain service providers.
  • Google must hire a third party privacy and data security professional to conduct assessments of Google's practices every two years for the next twenty years.

Google had previously faced scrutiny from international data protection authorities that noted disappointment and concern regarding Google's privacy practices related to Google Buzz. Additionally, in October 2010, Google settled class action claims that Google Buzz violated Federal and California privacy, computer, and consumer protection laws based on the automatic creation of "follower/follow" lists. The claims were settled for $8.5 million.

What this Means for Business

This FTC action should serve as a reminder that when developing new products, businesses should evaluate whether their privacy practices are and will remain consistent with promises made in their policies and whether they provide adequate disclosures, offer clear choices and obtain meaningful consent from customers when these practices may change. With this important settlement, the FTC has signaled that it intends to raise the bar with respect to future privacy-related enforcement activity regarding the handling of consumers' personal information.

Kelley Drye & Warren LLP

Kelley Drye & Warren's Privacy and Information Security practice is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients' customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.

For more information about this advisory, contact:

Dana B. Rosenfeld
(202) 342-8588
drosenfeld@kelleydrye.com

John J. Heitmann
(202) 342-8544
jheitmann@kelleydrye.com

Alysa Zeltzer Hutnik
(202) 342-8603
ahutnik@kelleydrye.com

Christopher M. Loeffler
(202) 342-8429
cloeffler@kelleydrye.com